#!/bin/bash

kubectl apply -f dashboard.yaml
# https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
EOF
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
EOF

##是因为kubernetes基于安全性的考虑，浏览器必须要一个根证书，防止中间人攻击
#http://192.168.99.10:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.
sudo grep 'client-certificate-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d > kubecfg.crt
sudo grep 'client-key-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d > kubecfg.key
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client" -passout pass:
echo "在访问集群的浏览器导入 kubecfg.p12 这个证书后访问..."
# 导入证书后，https://192.168.99.10:6443/healthz 这个使用证书可以访问

#可以获取token
echo "访问集群的token如下..."
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

echo "Dashboard的访问地址： http://192.168.99.10:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ "
#???1.17存在问题，下文的描述
kubectl proxy --address='0.0.0.0' --accept-hosts='^*$'

:<<EOF
访问机器上：
1 拷出证书 
scp -i private_key -o StrictHostKeyChecking=no vagrant@192.168.99.10:/home/vagrant/kubecfg.p12 kubecfg.p12
2 浏览器导入如上证书
3 使用如上的URL和token访问
https://lb.kubesphere.local:6443/healthz 【lb.kubesphere.local -> 192.168.99.10】 这个可以检查证书的效果

能看到dashboard服务的集群ip地址地方，可以这样，但由于是命令行系统无浏览器，一般这个方式用不了
$ k get pods -o name -n kubernetes-dashboard
pod/dashboard-metrics-scraper-557f68956f-6mj6l
pod/kubernetes-dashboard-669cb44fb8-q7pd6
$ k get svc -o name -n kubernetes-dashboard
service/dashboard-metrics-scraper
service/kubernetes-dashboard

$ k get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.233.15.86   <none>        8000/TCP        108m
kubernetes-dashboard        NodePort    10.233.18.88   <none>        443:30834/TCP   108m
$ curl -k https://10.233.18.88

UI设置方式1：
　http://192.168.99.10:30880/clusters/default/projects/kubernetes-dashboard/services/kubernetes-dashboard/resource-status
设置node port访问方式，此时即可看到自动分配的端口：　nodeIp + nodePort
kind: Service
apiVersion: v1
...
spec:
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443
      nodePort: 30834

方式2：
　kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 10443:443 --address 0.0.0.0
　https://192.168.99.10:10443/　通过这个地址即可访问dashboard
  
  如下两个方式都可用
  #2.1 中转到服务上
  kubectl port-forward $(kubectl -n kubernetes-dashboard get pod -o name | grep kubernetes-dashboard) 8444:443 -n kubernetes-dashboard --address=0.0.0.0
  #2.2 中转到pod上
  kubectl port-forward -n kubernetes-dashboard $(kubectl -n kubernetes-dashboard get pod -o name | grep kubernetes-dashboard) 10443:8443 --address 0.0.0.0
方式3:
  kubectl proxy的1.18直接可以http://192.168.99.10:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/　访问，但1.17不行【出现401未授权问题】
  https://github.com/kubernetes/dashboard/issues/4537
  ssh -L 8001:192.168.99.10:8001 -NT -i private_key -o StrictHostKeyChecking=no vagrant@192.1699.10
  　http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
EOF